Banks across Europe are now coping with a wave of cybercrime in which crooks are transferring funds out of customer accounts through a scam involving bypassing some two-factor authentication systems to steal large sums, according to a security firm assisting in the investigation.

The funds transfers are affecting 34 institutions, says Tom Kellermann, chief cybersecurity officer at Trend Micro, which is assisting law enforcement in Europe with combatting this crime wave seen first in Germany during the spring, and now across several countries, including Austria, Switzerland and Sweden. So far, the crimes are being traced to Romania and Russia. The amount of money that’s been fraudulently whisked out of both consumer and commercial bank accounts appears to be running in the millions.

Trend Micro isn’t naming the affected banks, but today issued a report “Finding Holes: Operation Emmental,” describing the attacks on them. It says the attack typically works by first sending an e-mail to the intended victims in their local language, pretending to be a retailer in Germany or Switzerland, for example.

For those who fall for opening an attachment associated with it, the resulting malware infection can change the Domain Name System server settings to point to one that is under the attacker’s control. That lets the attacker gain control over how the infected system resolves Internet domains. The malware then installs a new root Secure Sockets Layer certificate in the infected system, which allows the attackers to display content from secure phishing sites without the user receiving a warning, and the malware then deletes itself without leaving a trace.

“That means if the infection attempt was not immediately detected, any anti-malware check that follows will not detect anything since that file will no longer be there,” the report notes. There’s just the impact of the attacker’s configuration change.

The result for the victims is that when users of infected machines try to access bank domains, they are directed to a malicious server instead. These phishing sites ask them to log in, reveal their usernames, bank account numbers and other information that might be part of a typical online banking process. The users are asked to give away their personal identification numbers, the first authentication factor to access their accounts.

This complicated cyber-fraud also involves tricking the user into installing a fake Android app that works to subvert the multi-factor one-password system that may be in use, according to Trend Micro.

Typically, users are asked to provide a one-time password generated by the bank’s mobile app. “The regular procedure is to wait for an SMS from the bank but instead of that, the phishing page instructs the user to install a special mobile app in order to receive a number presumably via SMS that they should then type into a website form,” the Trend Micro report notes.

Screen shot of the Android mobile malware used in the European cybercrime banking scam.

It’s all part of the scam. The SMS that the bank should supposedly have sent never arrives so the targeted victim is forced to click the “I didn’t receive the SMS” link. Victims are fooled into installing the fake mobile app, which lets the attackers “gain full control of users’ online banking sessions because in reality, it intercepts session tokens sent via SMS to user phones, which are then forwarded to the cybercriminals.” At the end, the attackers have everything they need to fake the users’ online banking transactions.

The whole operation, which Trend has dubbed “Emmental,” requires the attackers deploy a Windows malware binary, a malicious Android app sporting various banks’ logos, a rogue DNS resolver server, a phishing Web server and several fake bank site pages, and a command-and-control server.

Investigators suspect attackers may possibly be Russian -- some traces of Russian language have been found in the attack code. There are also some connection logs from underground sources tying this back to Romania. “A Russian speaker based in Romania could be responsible for the whole operation,” Trend Micro surmises in its report. “Or the brains behind the operation could be based in Russia and the Romanian connection only plays a small part in the attack. We cannot say for sure.”

One worry in all this is that the attackers are exploiting a weakness in single-session token protection strategies. There may be a need to consider adopting other strategies, such as “use of multiple transaction authentication numbers (TANs), photo TANs, and card readers,” the report points out. This “Emmental” bank fraud operation appears to mainly be occurring in Europe, but there’s concern something like it could spread elsewhere, including the U.S., in the future.